Let me offer some comments on the rpmlint output.
W: at strange-permission atd.init 0775
W: at strange-permission test.pl 0755
Generally these aren't worth bothering with, but having a file group writable
in your checkout could be problematic. I don't see that, but I think my umask
doesn't allow it. Someone should try to understand where this is coming from.
E: at non-readable /etc/pam.d/atd 0640
I think this is OK, albeit different from what most other packages do. (They
use 0644).
E: at non-standard-dir-perm /var/spool/at/spool 0700
E: at non-standard-dir-perm /var/spool/at 0700
E: at non-readable /etc/at.deny 0600
E: at non-readable /var/spool/at/.SEQ 0600
These are necessitated by security.
W: at hidden-file-or-dir /var/spool/at/.SEQ
That's just the file that at uses; it's OK for it to be hidden.
E: at setuid-binary /usr/bin/at root 04755
E: at non-standard-executable-perm /usr/bin/at 04755
These are necessary.
W: at dangerous-command-in-%post chown
I'm not really sure why these are here as opposed to just being part of
%files. Perhaps rpm would keep creating .SEQ.rpmnew files endlessly otherwise?
If so then I think it's OK.
W: at service-default-enabled /etc/rc.d/init.d/atd
It's allowable for a service to be on by default, especially in the case of a
daemon that everyone expects to be there.

Marcela Maslanova: Do you still need more info? I had a few people IRC look
over the review to help provide you with the information I thought you were
requesting. Let me know if you need more from me.

>W: at strange-permission atd.init 0775
>W: at strange-permission test.pl 0755
> Generally these aren't worth bothering with, but having a file group writable
>in your checkout could be problematic. I don't see that, but I think my umask
>doesn't allow it. Someone should try to understand where this is coming from.
I see atd.init and test.pl at 0755 permissions in the source. It looks like
those two files are not in upstream and added to make this package. So
basically, the question is can they have better perms? I think the answer is yes.
I am also still seeing a difference between debian's upstream sum and the source
used for this package. I am not sure why that is. When I unpack both soruces
and run a diff, I see no difference.
From the package review guidelines:
- MUST: The sources used to build the package must match the upstream source, as
provided in the spec URL. Reviewers should use md5sum for this task.

It was stupid differnce between at_... and at-... Now are the sums the same.
debian source
6e5857e23b3c32ea6995fb7f8989987e at_3.1.10.tar.gz
cat sources
6e5857e23b3c32ea6995fb7f8989987e at_3.1.10.tar.gz